Access to Users can be restricted to certain IP or host masks in order to increase security. This offers security on top of the authentication with username and password: the user can only log in or use data functions when she has the correct credentials and connects from an allowed host.
A host restriction is a rule of the form
[IP or host mask] [ip|host] [allow|deny];
The first part contains an IP address mask or a host name mask. This mask is matched to the IP address or hostname of the connecting user. The mask may contain wildcards, where the character ‘%’ matches zero or more characters and ‘_’ matches a single character.
The second part, ‘ip’ or ‘host’, indicates whether the mask should be considered an IP address or a host name.
The third keyword, ‘allow’ or ‘deny’, specifies whether access should be allowed or denied.
If multiple rules match, the last matching rule is used to determine the behavior. This means the most general rules should come first. For example, access to a range IP’s can be denied by the first rule while the second rule allows access to one specific IP within the range.
If no rules are supplied, access is allowed for all hosts. Otherwise all hosts are denied by default, unless they match an ‘allow’ rule. Therefor at least one of the rules should ‘allow’ hosts, to avoid blocking every host.
Access restrictions can be set on both the level of Accounts and Users. If restrictions are set on both the users rules are checked first. If none of the users rules matches the rules of the account are checked.
Deny access (for all users) to all IP’s except 123.456.789
Deny access (for all users) to all IP’s. Allow access to user 1 for IP 123.456.789. Allow access to user 2 for host ‘subdomain.domain.com’ and IP 123.456.789 . Deny access to user 3 for host ‘subdomain.domain.com’, but allow other hosts that end in ‘.domain.com’.
Allow access from all IP’s, except for 220.127.116.11.
Whitelisting and Lockout
When an IP has been specifically whitelisted it will never be blocked through the User Lockout mechanism. This means that a whitelisted IP will never cause a lockout to occur. Previously issued bans will also be disregarded, re-activating the IP.
These methods can be used to set or view host restrictions.